Reputation: 1342
is it reasonable to get sessionid from url other than cookie? something about express-session
I have some domain( maybe change very frequently), and two stable domain(e.g. auth.aaa.com, api.aaa.com).
Since express-session(https://www.npmjs.com/package/express-session) default get sessionid from cookie, but when crossing domain,ajax won't send cookie( I don't want to use something like Access-Control-Allow-Credentials ). I want to add the sessionid to the querystring, and forge a cookie before express-session middleware.
app.use(function(req,res,next){
var ss = req.query.ss;
if(ss){
var signature = require('cookie-signature');
var cookie = require('cookie');
var signed = 's:' + signature.sign(ss, "secret");
var data = cookie.serialize('jsessionids', signed);
req.headers.cookie = data;
}
next();
})
app.use(session({
name:'jsessionids',
store: new redisStore({
host:config.redis.host,
port:config.redis.port,
pass : config.redis.password,
db: config.redis.database
}),
resave: false, // don't save session if unmodified
saveUninitialized: false, // don't create session until something stored
secret: 'secret'
}));
is it reasonable? or any suggestion else?
Upvotes: 3
Views: 1243
Answers (1)
Reputation: 6783
It is generally not advisable to add the session as a query parameter, you have to jump through lots of hoops to get them to near the same level of security as cookies.
The main problem is that it is much more vulnerable to session fixation or session hijacking, which is where an attacker can steal and use another user's session.
Some key points to take into consideration
- Query parameters are stored in browser history, bookmarks and referrer headers (just to name a few) which could allow an attacker to use another users session on a shared environment. Query string based sessions are much easier to leak outside their intended scope.
- Cookies have better security mechanisms built in such as the
httpOnlyflag which makes the cookies in-accessible to JavaScript (whereas query strings are always accessible). Thesecureflag makes sure that cookies are only sent over a secure connection (You could perhaps use HSTS to help guard against MITM attacks for query string). - A user who share a link with their sessionID in the query string which would allow any other user to assume their identity.
If you do decide to use the sessionID in the query string make sure you set an expiration time for the session and always to use TLS to securely transmit the session (same applies to any authentiction method).
Saying that, If you can avoid using query string based sessions, I would advise you do.
Upvotes: 3
Related Questions
- How can I fix this Node.js login page?
- Why this error coming while running Node.js server?
- How to get the full URL in Express?
- How to avoid the server side session creation for every page
- How to send github OAuth data to client?
- How to get a URL parameter in Express?
- node.js and express : how to wait for udp response
- Express 4- How to set a additional custom cookie with Session?